Method to grant access to a data communication network and related devices

ABSTRACT

A method to grant a supplicant access to a data communication network and related devices is claimed. A first supplicant is associated to a Medium Access Control address and is coupled to a first port of an authenticator of the data communication network. The method comprises: a step of transmitting an authentication request by the authenticator to an authentication server being coupled thereto; and a step of making by the authentication server an authentication decision based upon predefined rules and conditions; and a step of transmitting by the authentication server the authenticator an authentication reply that comprises a result of the authentication decision. The method further comprises a step of developing by the authentication server a first registration memory that comprises entries whereby an entry comprises an association between a Medium Access Control Address of a granted supplicant and a granted password, the granted supplicant received previously a grant to the data communication network. The predefined rules and conditions comprises a first controlling step of the first registration memory upon a presence of a previous entry that comprises a first association between the first Medium Access Control Address of the first supplicant and a first password for the supplicant. In the event when the first controlling step is positive the method further comprises generating a result that comprises an authentication for the first Medium Access Control address the first password and thereby granting the first supplicant to access the data communication network via the first port of the authenticator.

The present invention relates to a method to grant a supplicant accessto a data communication network. The present invention relates also toan authentication server and an authenticator that realizes such amethod. Such a method and devices are already known from the IEEEStandard 802.1X-2001.

Therein it is described at page 5—§ 3.1 that a supplicant is an entityat one end of a point-to-point Local Area Network Segment that isauthenticated by and authenticator attached to the other end of thatlink. It has to be remarked that the term supplicant is used in thisdocument instead of devices such as a peer, which is used in otheraccess control-related specifications.

At page 5—§ 3.1 it is also described that a Network access port is apoint of attachment of a system to a LAN. It can be a physical port, forexample, a single LAN Medium Access Control attached to a physical LANsegment, or a logical port, for example, an association between astation and an access point. It has to be remarked that the term “port”is used in this document as an abbreviation of network access port.

Furthermore it is described that an authenticator is an entity at oneend of a point-to-point LAN segment that facilitates authentication ofthe entity attached to the other end of that link. The authenticator isresponsible for communication with the supplicant and for submitting theinformation received from the supplicant to a suitable authenticationserver in order to ensure the check up of the credentials and todetermine thereby the consequent state.

An authentication Server is an entity that provides an authenticationservice to an authenticator. This service determines, from thecredentials provided by the supplicant, whether the supplicant isauthorized to access the services provided by the authenticator. Theauthentication server functions can be collocated with an authenticator,or it can be accessed remotely via a network to which the authenticatorhas access.

In this way, the method to grant a supplicant access to a datacommunication network, whereby the supplicant is associated to a MediumAccess Control address and is coupled to a port of the authenticator ofthe data communication network, comprises the following steps:

-   -   a step of transmitting an authentication request by the        authenticator to an authentication server being coupled thereto;        and    -   a step of making by the authentication server an authentication        decision based upon predefined rules and conditions; and    -   a step of transmitting by the authentication server to the        authenticator an authentication reply that comprises a result of        the authentication decision.

Furthermore at page 10 of this IEEE Standard 802.1X-2001, it ismentioned that the details of communication between the authenticatorand the authentication server are outside the scope of this IEEEStandard 802.1X-2001. However, such communication could typically beimplemented by means of an Extensible Authentication Protocol, shortlycalled herein EAP, connection carried over appropriate higher layerprotocols, for example, by means of the EAP RADIUS. Hence theauthentication server can be located outside of the confines of the LANthat supports the “EAP over LAN” i.e. the EAPOL, exchanges betweensupplicant and authenticator; and the communication between theauthenticator and authentication server need not be subject to theauthentication state of the controlled port(s) of the systems concerned.

In this way, according to this possible implementation, and as it isdescribed by the IETF RFC 2865, June 2000—§ 2 Operation/Introduction,the authentication server, as the RADIUS server, receives the request,it validates the sending client i.e. the authenticator, and it consultsa database of users i.e. supplicants to find the user whose name matchesthe request. The user entry in the database contains a list ofrequirements that must be met to allow access for the user. This mostlyincludes verification of the password, but can also specify theclient(s) of port(s) to which the user is allowed access. Furthermore,at page 6 of this Standard, it is described that if all conditions aremet, the list of configurations values for the user i.e. the supplicant,is placed into an “Accept” response. These values include the type ofservice and all necessary values to deliver the desired service. Thesevalues may include values such as an IP address, a subnet-mask, thedesired compression, and desired packet filter identifiers or desiredprotocol and host.

The step of making by the authentication server an authenticationdecision based upon predefined rules and conditions is also described atpage 7—IEEE Standard 802.1X-2001 i.e. the authenticator server performsthe authentication function to check the credentials of the supplicanton behalf of the authenticator and indicates whether the supplicant isauthorized to access the authenticator's services. In this wayport-access-control provides an extension to the functionality of asystem that offers a means of preventing unauthorised access bysupplicants to the services offered by that system. For example, if thesystem concerned is a MAC Bridge, control over access to the Bridge andthe LAN to which it is connected can be desirable in order to restrictaccess to publicly accessible Bridge Ports, or within an organisation,to restrict access to a departmental LAN to members of that department.

Access control is achieved by the system-enforcing authentication ofsupplicants that attach to the system's controlled Ports. From theresult of the authentication process, the system can determine whetheror not the supplicant is authorized to access its services on thatcontrolled Port. If the supplicant is not authorized for access, thesystem sets the controlled Port State to unauthorized. The mechanismsdefined can be applied to allow any System to authenticate anotherSystem that is connected to one of its controlled Ports. The Systemsconcerned include end stations, servers, routers, and MAC Bridges.

It has to be remarked that at page 21—§ 8.2 Scope—of IEEE Standard802.1X-2001, it is described that the operation of Port-based AccessControl assumes that the Ports on which it operates offers apoint-to-point connection between a single supplicant and a singleauthenticator. It is this assumption that allows the authenticationdecisions to be made on a per-Port basis. And furthermore that “theauthentication of multiple supplicants attached to a singleauthenticator is outside of the scope of this standard”. It has to beexplained however that in order not to overload the present descriptionand the present FIG. 1, the authenticator described in the preamble ofthe claims and in this further description is an integration of aplurality of authenticators as described in the Standard. However, ithas to be understood that the authentication decision, in theabove-mentioned Standard 802.1X-2001, remains on a per-Port basis.Moreover, the authenticator of the present invention can be implementedaccording to a distributive way, over the different ports, which bringsit back into the one-to-one relation between supplicant andauthenticator.

A problem outstanding with this method to grant a supplicant, e.g. SUP1,access to a data communication network will be described now by means ofan example. Presume a following topology wherein a first user is using afirst customer premises equipment with a first supplicant SUP1 that iscoupled to a first port P1 of an access unit that comprises such anauthenticator AUTH1; and that a second user is using a second customerpremises equipment with a second supplicant SUP2 that is coupled to asecond port P2 of this access unit. The method to grant the firstsupplicant SUP1 access to the data communication network DCN of theauthenticator, comprises:

-   -   a step of transmitting an authentication request by the        authenticator AUTH1 to an authentication server AS being coupled        thereto; and    -   a step of making by the authentication server AS an        authentication decision based upon predefined rules and        conditions; and    -   a step of transmitting by the authentication server AS to the        authenticator an authentication reply that comprises a result of        said authentication decision.

As it is described above, the authentication decision comprises a listof requirements that must be met to allow access for the user. This listcomprises mostly verification of the password, but can also specify theclient(s) of port(s) to which the user is allowed access. Presume thatbased on the first user's password verification, the first supplicantSUP1 is authorized to get access via the first port P1 of theauthenticator to the communication network.

Now, the method to grant the second supplicant SUP2 access to the datacommunication network of the authenticator comprises similar steps.Based upon the second user's password verification, the secondsupplicant SUP2 is authorized to get access via the second port P2 ofthe authenticator to the communication network. However, in the eventwhen the second premises equipment uses a Medium Access Control addresse.g. MAC2 being associated to the second supplicant SUP2, which has e.g.by coincidence a same value as the Medium Access Control address MAC1that is used by the first premises equipment i.e. being associated tothe fist supplicant SUP1, the result will still comprise anauthentication for this second supplicant. This means that independentlyof the fact that the Medium Access Control addresses have the same valueor not, each supplicant will receive its grant by merely fulfilling thepassword requirements. This results in MAC address duplicates andthereby in denial of service and/or service degradation attacks.

Such MAC address duplicates are often solved by solutions in the MACdata plane or the Internet Protocol layer data plane, such as e.g. MACaddress translations, VLAN segregation or MAC address registration inthe Access node itself.

With the above methods the MAC address duplicates are mostly solved inone access node independently of other access nodes and suppose that MACaddress duplicates are rare events since users cannot know each-otherMAC address. However, these solutions break down when directpeer-to-peer communication is allowed between users of the same accessnode and users of different access nodes. When peer-to-peercommunication is allowed, users will also know each other MAC addressand therefore any user can steal the MAC address of another. Again, thisstill results in denial of service and/or service degradation attacks.

Furthermore, the known authentication methods associate a user'scredential i.e. its password, with its DSL line i.e. the port of theauthenticator AUTH1, whereby user nomadism is not allowed. This meansthat the above mentioned first user would not be allowed to go to thesecond user's home and to use the computer that comprises the secondsupplicant of the second user with its own password (password of thefirst user); or this means that the above mentioned first user would notbe allowed to go at the second user's home in order to use there its owncomputer (of the first user) with its own password (password of thefirst user).

An object of the present invention is to provide a method to grant asupplicant access to a data communication network and an authenticationserver and authenticator performing such a method, such as the aboveknown ones but whereby user nomadism is allowed and whereby MediumAccess Control address stealing prohibited.

According to the invention, this object is achieved by means of themethod of claim 1, the authentication server of claim 5 and theauthenticator of claim 9. Indeed due to the fact that the method furthercomprises a step of developing by the authentication server a firstregistration memory that comprises entries. One such entry comprises anassociation between a Medium Access Control address of a grantedsupplicant and a for said granted supplicant that previously received agrant to access an allowed data communication network via anauthenticated port. Furthermore the predefined rules and conditionscomprises a first controlling step of controlling the first registrationmemory by means of a first control means of the decision means, upon apresence of a previous entry that comprises a first association betweenthe Medium Access Control address of the first supplicant and thepassword for the first supplicant. Furthermore, in the event when thisfirst controlling step is positive, the method further comprises a stepof generating a result that comprises an authentication for the firstMedium Access Control address with the first password and therebygranting the first supplicant to access the data communication networkvia the first port of the authenticator.

Indeed, since the registration memory is built up, all supplicants e.g.SUP2 that received previously an authentication i.e. a grant to accessan allowed data communication network are registered in this firstregistration memory by means of an entry that comprises a pair (MACaddress being associated to the supplicant; password of the user thatuses the customer premises equipment that comprises this supplicant)e.g. (MAC2, PSWD2). Upon reception of a new authentication request fromthe authenticator by the authentication server for a particularsupplicant e.g. SUP1 that desires access, the authentication serverfirst controls for this particular supplicant, the presence of anassociation-entry i.e. the pair (associated MAC address of theparticular supplicant; password of the user for the supplicant) e.g.(MAC1, PSWD1) in the first registration memory. When thisassociation-entry is present in the database i.e. the first registrationmemory, the first supplicant being used by the first user is authorizedaccess. Even when this first user would not be at its own place, as longas this particular association (MAC1, PSWD1) is present, access to thenetwork is allowed.

The information i.e. associated MAC address of the particular supplicantand the password for the supplicant i.e. password of the user that usesthe customer premises equipment which comprises the supplicant, areusually to be found in the authentication request of the authenticator.

Besides the execution of the usual rules and conditions, the executionof this first controlling step of the authentication server i.e. takinginto account the MAC address/user password relation, provides animproved result of the authentication decision i.e. the result nowallows user nomadism in a data communication network.

Furthermore the authenticator comprises an interpreter to interpret theauthentication reply as being received from an authentication serverthat indeed takes the (MAC address, user password) association intoaccount. The interpreter also sets a filter of this authenticatoraccording to the content of the result in the authentication reply.Hereby, in the event when the result comprises an authentication for theMedium Access Control address and for the user password, whereby thesupplicant with the Medium Access Control address was indeed granted toaccess the data communication network via the port of the authenticator,the filter is set to accept traffic of the supplicant via the port, butonly for the specified Medium Access Control address. Similar in theevent when the result comprises a refusal for the Medium Access Controladdress with the user password, whereby the supplicant with the MediumAccess Control address is denied to access the data communicationnetwork via the port of the authenticator, the filter is set to refuseall traffic of the supplicant.

This means that access to a data communication network via a port of theauthenticator is granted to a supplicant for only the MAC address forwhich the authentication procedures was successfully fulfilled inassociation with the user password of the supplicant.

So, in the event when the first controlling step, being executed by theauthentication server, is positive, the method according to the presentinvention comprises a step of generating by the decision means a resultthat comprises an authentication which thereby grants the supplicantwith the Medium Access Control address and the associated user passwordto the data communication network via the port of the authenticator.This means that when a first full match of the requesting pair (MACaddress, password) is found in the registration memory, this same (MACaddress, password)-pair i.e. this same supplicant at with the samepassword, already received previously a grant to access thecommunication network. The user of the customer premises equipment ofthis supplicant desires to access the network again. Permitting accessagain, even at a different access line, allows user nomadism.

Furthermore, in the event when the first controlling step is negative,the method further comprises a second controlling step, executed by asecond control means, of controlling the first registration memory upona presence of previous entry that comprises a second association betweenthe Medium Access Control address of the supplicant with any otherpassword i.e. a check upon a semi-match with an entry of the firstregistration memory. Indeed, the first registration memory is controlledupon the presence of the MAC address of the supplicant e.g. SUP2, evenwhen the entry was made in association with another password as thepassword for which access is requested for the supplicant. In the eventwhen the second controlling step is negative, the method furthercomprises a step of generating by the decision means a result thatcomprises an authentication for the first Medium Access Control addresswith the first password and thereby granting the first supplicant toaccess the data communication network via the first port of theauthenticator. Furthermore, the method comprises a step of registeringan entry in the first registration memory with the first association thefirst Medium Access Control Address the first supplicant and the firstpassword the first supplicant. This is described in claim 2 and claim 6.Indeed, when the first Medium Access Control address is not at allpresent, not being associated with the first user password nor withanother user password, it means that no previous access was provided.This concerns a new access that is allowed. Hereby it is needed tocomplete the first registration memory and to insert the new learnedassociation between the first Medium Access Control address and the userpassword for the supplicant.

It has to be remarked that the wordings ‘second association’ doesn'tmean that the MAC address should be found for a second time in theregistration means. The ‘second association’ just means that a ‘secondkind of association’ i.e. a ‘second kind of entry’ is to be look-up inthe first registration memory. More precisely the presence of a previousentry upon a pair (MAC address; any other password besides the passwordfor which the request was received) is controlled by the second controlmeans.

Furthermore, the method further comprises developing by theauthentication server a second registration memory that comprisesentries whereby an entry comprises an association between a MediumAccess Control address of a granted supplicant and an authenticated portfor the granted supplicant that received previously a grant to access anallowed data communication network via the authenticated port; and inthe event when the second controlling step would have been negative,also registering an entry in the second registration memory with anassociation between the first Medium Access Control Address of the firstsupplicant and the first port of the authenticator. This means thatbesides the entries with an association (Medium Access Controladdress/password) also entries with an association (Medium AccessControl address/port of the authenticator via which the supplicant iscoupled to the authenticator) are kept. This is described in claim 3 andclaim 7.

Furthermore, the method also comprises, in the event when said secondcontrolling step is positive:

-   -   a third controlling step of controlling with a third control        means this second registration memory upon a presence of a        previous entry that comprises a third association between the        first Medium Access Control address of the first supplicant and        the first port of the authenticator; and    -   a fourth controlling step of controlling with a fourth control        means this second registration memory upon a presence of a        previous entry that comprises a fourth association between the        first Medium Access Control address of the first supplicant and        another port of the authenticator; and    -   in the event when the third controlling step is positive, the        method further comprises a step of generating a result that        comprises an authentication for the first Medium Access Control        address with the first password and thereby granting the first        supplicant to access the data communication network via the        first port of the authenticator; and    -   in the event when the third controlling step is negative and the        fourth controlling step is positive, generating a result that        comprises a refusal for the first port and for the first Medium        Access Control address and thereby denying the first supplicant        to access the data communication network via the first port.

By comprising the third and fourth controlling step, the secondregistration memory is also checked upon the presence of entriesregarding the Medium Access Control address of the supplicant thatdemands access to the network. In the event when an association of thefirst Medium Access Control address with another password was found inthe first registration memory and this first Medium Access Controladdress is also to be found in the second registration memory, theassociated port in the second registration memory plays a role. Whenthis associated port is indeed the port via which the first supplicantrequests access i.e. the first port, authorization is provided, sincethis means that the user is at another home, using this home's computerwith its own (first user) password i.e. user nomadism.

Finally, when the first Medium Access Control address is, besides anassociation with another password, is found back in an entry in thesecond registration memory in association with another port, the firstMedium Access Control address is stolen whereby access is refused i.e.the authentication server thereby denies the first supplicant associatedwith the first Medium Access Control address to access the datacommunication network via the requested port of the authenticator.Indeed, allowing a supplicant with a particular MAC address to accessthe data network in the event when this MAC address was alreadypreviously registered in the registration memory, although at anotherport, would generate MAC duplication. The presence of the entry in theregistration memory of the MAC address in association with another porthas the meaning that either the requesting supplicant has by coincidencethe same particular MAC address as already registered or has the meaningthat a malicious user has been steeling the particular MAC address andthat he tries to use it. In both situations access to the datacommunication network by the supplicant with this particular MAC addressshould be avoided. This is realized by comprising a refusal in theresult of the decision means. This is described in claim 4 and claim 8.

It has to be mentioned that access is granted by means of generating bythe decision means a result that comprises an authentication.

It is to be noticed that the term ‘comprising’, used in the claims,should not be interpreted as being limitative to the means listedthereafter. Thus, the scope of the expression ‘a device comprising meansA and B’ should not be limited to devices consisting only of componentsA and B. It means that with respect to the present invention, the onlyrelevant components of the device are A and B.

Similarly, it is to be noticed that the term ‘coupled’, also used in theclaims, should not be interpreted as being limitative to directconnections only. Thus, the scope of the expression ‘a device A coupledto a device B’ should not be limited to devices or systems wherein anoutput of device A is directly connected to an input of device B. Itmeans that there exists a path between an output of A and an input of Bwhich may be a path including other devices or means.

The above and other objects and features of the invention will becomemore apparent and the invention itself will be best understood byreferring to the following description of an embodiment taken inconjunction with the accompanying drawings wherein FIG. 1 represents aglobal communication network.

The working of the device according to the present invention inaccordance with its telecommunication environment that is shown in FIG.1 will be explained by means of a functional description of thedifferent blocks shown therein. Based on this description, the practicalimplementation of the blocks will be obvious to a person skilled in theart and will therefore not be described in details. In addition, theprinciple working of the method to grant a supplicant access to a datacommunication network will be described in further detail.

Referring to FIG. 1, a global communication network is shown.

The global communication network comprises twocustomer-premises-equipment i.e. first customer premises equipment CPE1and second customer equipment CPE2; a data communication network DCN andan Authentication Server AS.

The first and second customer premises equipment CPE1 and CPE2 are eachcoupled to the data communication network DCN.

The Authentication Server AS is also coupled to the data communicationnetwork DCN.

The second customer premises equipment CPE2 comprises a terminal unitTU2. The terminal unit TU2 comprises a supplicant SUP2 and has a MediumAccess control address MAC2.

The other customer equipment CPE1 comprises a Terminal Unit TU1. Theterminal unit TU1 has a MAC address MAC1 and comprises a supplicantSUP1. In this way the supplicant SUP1 is associated to the MAC1 address.

Presume that in normal situation the first and second customer premisesequipment CPE1 and CPE2 are respectively used by a first user U1 havingpassword PSWD1 and a second user U2 having password PSWD2.

The Data communication Network DCN comprises an Access Unit thatcomprises a plurality of ports. Two ports, P1 and P2, are explicitlyshown. These two ports of the Access Unit are coupled to each one of thecustomer premises equipment. More in detail, the first customer premisesequipment CPE1 is coupled via a first port P1 of the access unit AU tothe data communication network DCN and the other customer premisesequipment CPE2 is coupled via another port P2 of the access unit AU tothe data communication network. The access unit AU comprises anauthenticator AUTH1 that comprises a transmitter TX, a receiver RX and afilter FILT. The transmitter TX and the receiver RX are both coupled tothe authentication server AS. The transmitter TX and the receiver RX arealso coupled to the interpreter INTPR that on its turn is coupled to thefilter FILT. According to this embodiment the filter FILT is alsocoupled to the different ports of the access unit AU. The coupling tothe two ports P1 and P2 are explicitly shown in FIG. 1. The couplings tothe other ports are only shown with a dotted line.

The Authentication server AS comprises a decider DEC that is coupled toan input/output of the authentication server AS. The decider DECcomprises a first controller CONT1, a second controller CONT2, a thirdcontroller CONT3 and a fourth controller CONT4.

The authentication server AS further comprises a registration memory MEMthat is coupled to an input/output of the authentication server AS andto the decider DEC.

The supplicants SUP1 and SUP2, the authenticator AUTH1 and theauthentication server AS are enabled to communicate with each other toexecute an authentication procedure and to thereby eventually grant thesupplicant SUP1 or SUP2 access to the data communication network via itsrespective port of the authenticator.

This will now be explained in more detail.

Controlled and uncontrolled access is explained in the IEEE Standard802.1X-2001, page 8. The operation of the Port-based access control hasthe effect of creating two distinct points of access (not shown inFIG. 1) to the authenticator System's point of attachment to the LocalArea Network LAN. One point of access allows the uncontrolled exchangeof packet data units, hereafter called PDU's, between the system and theother systems on the LAN, regardless of the authorizations state i.e.the uncontrolled port; the other point of access allows the exchange ofPDU's only if the current state of the Port is authorized i.e. thecontrolled port. The uncontrolled and controlled Ports are considered tobe part of the same point of attachment to the LAN e.g. port P1 forsupplicant SUP1 in cooperation with authenticator AUTH1. Any framereceived on the physical port is made available at both the controlledand uncontrolled ports; subject to Authorization State associated withthe controlled port.

Furthermore, see also 802.1X-2001, page 8, last paragraph, the point ofattachment to the LAN can be provided by any physical or logical portthat can provide a one-to-one connection to a supplicant system. Forexample, a single LAN MAC in a switched LAN infrastructure can providethe point of attachment. In LAN environments where the MAC method allowsthe possibility of a one-to-many relationship between an authenticatorand a supplicant, for example in shared media environments, the creationof a distinct association between a single supplicant and a singleauthenticator is a necessary precondition for the access controlmechanisms described in 802.1X-2001 to function.

It has to be remarked, as explained above, that the functionality ofdifferent single authenticators, each associated to a distinctsupplicant, can be integrated in one global authenticator taking care ofthe different supplicants. Such an implementation, with one integratedauthenticator AUTH1, is preferred for this particular embodiment.However, this is no limitation to the principle idea of the presentinvention.

The different roles in the access control mechanism of the twosupplicants SUP1 and SUP2, the authenticator AUTH1 and theauthentication server AS will now be explained.

The Authenticator AUTH1 uses the uncontrolled Port (not shown) for thepurposes of exchanging protocol information with a respective supplicantand is further responsible for enforcing the authentication of one ofthe supplicants SUP1 or SUP2 that are attached to one of its controlledPorts, P1 or P2 respectively, and for controlling the authorizationstate of the respective controlled Port accordingly.

In order to perform the authentication, the Authenticator AUTH1 makesuse of the Authentication Server AS. The Authentication Server AS may becollocated in the same System as the Authenticator AUTH1, or it may belocated elsewhere, accessible via remote communication mechanisms,LAN-based or otherwise. This preferred embodiment describes anAuthentication Server AS that is common to all authenticators of thesame DCN. Indeed the nomadism requirement and the MAC address steelingis a problem that concerns the whole Ethernet communication network towhich the authenticators are connected, and therefore it should besolved for the DCN as a whole. This is achieved by having the same ASfor all the authenticators connected to the same Ethernet DCN.

The supplicant, SUP1 or SUP2, is responsible for communicating itscredentials to the Authenticator AUTH1 in response to requests from theAuthenticator AUTH1. The Supplicant may also initiate authenticationexchanges and perform Logoff exchanges.

Authentication occurs primarily at System initialization time, or when aSupplicant System is connected to a Port of an Authenticator System.Until authentication has successfully completed, the Supplicant Systemonly has access to the Authenticator System to perform authenticationexchanges, or to access any services offered by the Authenticator'sSystem that are not subject to the access control restrictions placed onthe Authenticator's controlled Port. Once authentication hassuccessfully completed, the Authenticator System allows full access tothe services offered via the Authenticator System's controlled Port.

For this embodiment, it is preferred to define an encapsulation formatthat allows the authentication messages to be carried directly by a LANMAC service. This encapsulated form of EAP, known as EAP over LANs, orEAPOL, is used for all communication between the Supplicants SUP1 andSUP2 and the Authenticator AUTH1. The Authenticator AUTH1 then performsa repackage of the EAP protocol for onward transmission to theAuthentication Server AS. For this embodiment the RADIUS is preferredfor providing this latter aspect of communication. However, it has to beremarked that this may be achieved by the use of other protocols.

Furthermore, once the authentication procedure is started, one of thefollowing results can be generated:

-   -   a) The authentication procedure terminates due to excessive        timeouts in the sequence of requests and responses. The aborting        state is caused.    -   b) The authentication procedure terminates due to the        Authentication Server AS returning a “Reject message” called        herein “an authentication reply that comprises a result that        comprises a refusal” to the Authenticator AUTH1.    -   c) The authentication procedure terminates due to the        Authentication Server AS returning an “Accept message” to the        Authenticator AUTH1, called herein “an authentication reply that        comprises a result that comprises an authentication”.

As it is explained above a supplicant e.g. SUP1 desires to receive agrant to access the data communication network DCN. The supplicant isalso associated to the MAC1 address of the terminal unit TU1 and iscoupled to a port P1 of the authenticator AU. A user password PSWD1 isprovided by the first user U1 to the first customer premises equipmentCPE1 and reaches the authenticator AU via the supplicant SUP1 and thefirst port P1.

In order to acquire this grant the transmitter TX of the authenticatorAU transmits an authentication request to the authentication server AS.The authentication server AS makes an authentication decision based uponpredefined rules and conditions. The decider DEC of the authenticationserver AS is here for used. Hereafter, the authentication server AStransmits an authentication reply that comprises a result of theauthentication decision, to the authenticator AUTH1.

However, in order to make the authentication decision for the supplicantSUP1, the authentication server AS also comprises, according to thepresent invention, a first registration memory MEM1 and a secondregistration memory MEM2. These registration memories comprise entries.

An entry of the first registration memory comprises an associationbetween a Medium Access Control address, such as MAC2 of a grantedsupplicant SUP2, and a user password such as PSWD2, the grantedsupplicant previously received a grant with this user password PSWD2 toaccess the data communication network DCN.

An entry of the second registration memory comprises an associationbetween a Medium Access Control address, such as MAC2 of a grantedsupplicant SUP2, and an authenticated port P2 being authenticated forthis granted supplicant that already received a grant to access the datacommunication network DCN via this authenticated port P2.

The decider DEC generates the result RES of the authentication decisionbased upon predefined rules and conditions. The respective result of theauthentication decision RES of the decider DEC is comprised in theauthentication reply and is transmitted by the authentication server ASto the authenticator AUTH1.

The receiver RX of the authenticator AUTH1 receives from theauthentication server AS the authentication reply.

The interpreter INTPR of the authenticator AUTH1 interprets theauthentication reply as being received from an authentication server ASthat is indeed enabled, according to the present invention, to supportits authentication decision by means of e.g. such a first controllingstep executed by a first controller CONT1. It has to be remarked thatthe interpreter is implemented by means of a decoder that decodes theauthentication reply received from the authentication server AS.

The interpreter INTPR can be implemented in different ways. One possibleway is that the interpreter INTPR knows according to a referenceincluded in the authentication reply to which previous transmittedauthentication request it is related and thereby to which supplicante.g. SUP1 it concerns. The interpreter INTPR is enabled to retrievebased upon this supplicant SUP1 from a database of the authenticatorAUTH1 the associated MAC address and port i.e. MAC1 and P1. Anotherpossible implementation is that no authentication request database iskept and that the interpreter INTPR relies upon the information in theauthentication reply. This means that the interpreter INTPR retrievesfrom the authentication reply the port and MAC address that is includedin this authentication reply.

According to these possible implementations, the information i.e. theconcerned MAC address and the port i.e. in the example MAC1 and P1, isforwarded to the filter FILT. The filter FILT is set according to theinformation that is comprised in the authentication reply and on itsturn, the filter FILT filters the traffic for port P1 accordingly. Thismeans that:

-   -   in the event when the result RES(AUTH) comprises an        authentication for the MAC1 address, whereby the supplicant SUP1        with the MAC1 address is indeed granted to access the data        communication network DCN via the port P1 of the authenticator        AU, the filter FILT accepts traffic of the supplicant SUP1 via        the port P1, but only for the MAC1 address wherefore the        authorization was given; and    -   in the event when the result RES(REF) comprises a refusal for        the MAC1 address whereby the supplicant SUP1 with MAC1 address        is denied to access the data communication network DCN via the        port P1 of the authenticator AU, the filter FILT refuses traffic        of the supplicant SUP1 with MAC1 address.

It has to be remarked that the filter FILT can be implemented by meansof one filter block for every port of the authenticator AUTH1 or it canbe implemented as one centralized functional block that controls thetraffic over the different ports of the authenticator AUTH1.

The decider DEC generates the result RES of the authentication decisionbased upon predefined rules and conditions.

These predefined rules and conditions comprise four controlling steps,respectively executed by the first controller CONT1, the secondcontroller CONT2, the third controller CONT3 and the fourth controllerCONT4.

The first controller CONT1 of the decider DEC executes, according to thepresent invention, a first controlling step of controlling the firstregistration memory MEM1 upon a presence of a previous entry thatcomprises a first association between the first Medium Access Controladdress MAC1 of a supplicant SUP1 and the user password PSWD1 for thesupplicant.

The information such as this Medium access control address and thepassword is found in the authentication request and is extracted by thedecider DEC from the Authentication request. The first controller CONT1uses this information as input for the first registration memory MEM1.The first registration memory MEM1 receives as input (MAC1, PSWD1).

The first registration memory MEM reacts on this input with an OKmessage which means that the pair-entry (MAC1, PSWD1) was found in thefirst registration memory MEM1, or a NOK message that means that thepair-entry (MAC1, PSWD1) was not found in the registration memory MEM1.Such an Ok message or NOK message is taken into account by the deciderDEC to generate a result RES which will be explained in a furtherparagraph.

In the following paragraphs the first controlling step will further beexplained and a second controlling step will be introduced.

In the event when the first controlling step is positive, this meansthat an entry (MAC1, PSWD1) is found in the first registration memoryMEM1 (not shown in FIG. 1), the decider DEC generates a result RES(AUTH)that comprises an authentication for the port P1 and for the MAC1address, whereby the supplicant SUP1 with the MAC1 address and with thepassword PSWD1 is granted to access the data communication network DCNvia the port P1 of the authenticator AU. Since the respectiveassociation is present in the first registration memory MEM1, no furtherentry needs to be made.

It needs to be explained that the positive authentication result isindependent of the port to which the supplicant is coupled. This meansthat the user with its terminal unit TU1 might as well be coupled toanother port of the authenticator AUTH1 i.e. being present at anotherhome (not shown in FIG. 1). User nomadism is herewith enabled in asecure way.

In the event when the first control is negative, this means that anentry (MAC1, PSWD1) is not found in the first registration memory MEM1(not shown in FIG. 1), the decider DEC comprises a second controllerCONT2 to execute a second control on the first registration memory MEMupon a presence of a previous entry that comprises a second associationbetween the MAC address MAC1 of the supplicant SUP1 with anotherpassword, i.e. a pair (MAC1; any other password besides the one in theauthorization request).

In the event when the second control is negative, the decider DECgenerates a result RES(AUTH) that comprises a an authentication for theport P1 and for the MAC1 address, whereby the supplicant SUP1 with theMAC1 address and with the password PSWD1 is granted to access the datacommunication network DCN via the port P1 of the authenticator AU. Thismeans also that the Medium access control address MAC1 is not at allfound in the first registration memory MEM1 whereby it is supposed thatthe supplicant SUP1 is requesting access for its first time. Since therespective association (MAC1; PASWD1) is not present in the firstregistration memory MEM1, an entry of this association is made.

It has to be remarked that the second controller CONT2 can beimplemented by means of another functional block as the first controllerCONT1. However, it has to be explained that both controllers can beimplemented by means of one and the same functional block. According tosuch an implementation, the parameters that are used by such a globalcontroller are defined in a different way depending from the controllingstep that has to be executed different i.e. first controlling step withe.g. (MAC1; PSWD1) as input or a second controlling step with e.g.(MAC1; any other password besides PSWD1).

Furthermore, it has to be explained that both controlling steps can alsobe implemented by execution of one global controlling step that providesin stead of an OK message or an Not OK message, a more detailed feedbacksuch as e.g. (MAC1 OK; PSWD1 NOK) which would mean that MAC1 is found inthe first registration memory MEM1 in relation with such another port.However, the detailed description of the different ways ofimplementation goes beyond the aim of the present invention.

In the event when the first control is negative and in the event whenthe second control is negative, the authentication server AS inserts anew entry in the first registration memory MEM1 that comprises the MAC1address of the supplicant SUP1 and the password of the authenticatorPSWD1. Furthermore, the decider DEC generates a result RES(AUTH) thatcomprises an authentication for the port P1 and for the Medium AccessControl address MAC1 whereby the supplicant SUP1 with the MAC1 addressis granted to access the data communication network DCN via the port P1of the authenticator AU.

In the event when the first control is negative and in the event whenthe second control is negative also a registration in the secondregistration memory MEM2 with an association between the first MediumAccess control address MAC1 of the first supplicant SUP1 and the firstport P1 of the authenticator (AUTH). Is has to be explained that in veryexceptional cases such an entry (MAC1; P1) in the second registrationmemory MEM2 could already exist. A further check-up concerning MACsteeling should be made here before providing the authentication.

In the event when the second controlling step is positive i.e. an actualentry in the first registration memory MEM1 of the MAC1 with anotherpassword, the following controlling steps are used in the method of thepresent invention:

-   -   executing with the third controller CONT3 a third controlling        step of the second registration memory MEM2 upon a presence of a        previous entry that comprises a third association between the        first Medium Access Control address MAC1 of the first supplicant        SUP1 and the first port P1 of the authenticator; and    -   executing with a fourth controller CONT4 a fourth controlling        step of controlling the second registration memory MEM2 upon a        presence of a previous entry that comprises a fourth association        between the first Medium Access Control address MAC1 of the        first supplicant SUP1 and another port of said authenticator.

In the event when the third controlling step is positive, the methodfurther comprises a step of generating a result that comprises anauthentication for the first Medium Access Control address MAC1 with thefirst password PSWD1 and thereby granting the first supplicant SUP1 toaccess the data communication network DCN via the first port P1 of theauthenticator AU. This means that although no association (MAC1; PSWD1)is known, the actual known association (MAC1; another PSWD) indicates apotential presence for (MAC1; P1). When this third association is indeedalso known in the second registration memory MEM2, it is explained thatthe user U1 with PSWD1 is at another home using a computer (CPE1 withSUP1 having MAC1 address—not shown in FIG. 1) of this other home andthat this computer is coupled to port P1 of the authenticator AUTH1. Asecond way of user—nomadism is hereby allowed according to a secure way.

In the event when the third controlling step is negative and the fourthcontrolling step is positive, the method further comprises a step ofgenerating a result that comprises a refusal for the first port P1 andfor the first Medium Access Control address MAC1 and thereby denying thefirst supplicant SUP1 to access the data communication network DCN viathe first port P1. Indeed, when no first association (MAC1; PSWD1) isknown, but a second association (MAC1; another PSWD) is known; and whenno third association (MAC1; P1) is known but a fourth association (MAC1;another P) is known in the second registration memory MEM2, it meansthat the user of the PSWD1 is steeling the MAC1 address.

This means that by taking into account, at this stage of the procedureof predefined rules and conditions, a potential earlier grant for a pair(MAC, port)—relation during the authentication decision of the deciderDEC, and by setting the port P1 of the authenticator AUTH1 for therequesting supplicant SUP1 accordingly i.e. allowing traffic, in theevent of authentication result, only for the MAC address MAC1 for whichthe authorization was provided, the granting of access for duplicatedMAC address is avoided and malicious users are anticipated.

Hereby a method is provided whereby firstly, user nomadism is allowedand whereby, secondly, Medium Access Control address stealingprohibited.

A final remark is that embodiments of the present invention aredescribed above in terms of functional blocks. From the functionaldescription of these blocks, given above, it will be apparent for aperson skilled in the art of designing electronic devices howembodiments of these blocks can be manufactured with well-knownelectronic components. A detailed architecture of the contents of thefunctional blocks hence is not given.

While the principles of the invention have been described above inconnection with specific apparatus, it is to be clearly understood thatthis description is made only by way of example and not as a limitationon the scope of the invention, as defined in the appended claims.

1. Method to grant a first supplicant (SUP1) access to a datacommunication network (DCN), said first supplicant (SUP1) havingassociated a first Medium Access Control address (MAC1) and beingcoupled to a first port (P1) of an authenticator (AU) of said datacommunication network (DCN), said method comprises: a step oftransmitting an authentication request by said authenticator (AUTH) toan authentication server (AS) being coupled thereto; and a step ofmaking by said authentication server (AS) an authentication decisionbased upon predefined rules and conditions; and a step of transmittingby said authentication server (AS) to said authenticator (AU) anauthentication reply that comprises a result of said authenticationdecision, characterized in that said method further comprises a step ofdeveloping by said authentication server (AS) a first registrationmemory (MEM1) that comprises entries whereby an entry comprises anassociation between a Medium Access Control Address of a grantedsupplicant and a granted password for said granted supplicant (SUP2),said granted supplicant received previously a grant to access said datacommunication network (DCN); and that said predefined rules andconditions comprises a first controlling step of controlling said firstregistration memory (MEM1) upon a presence of a previous entry thatcomprises a first association between said first Medium Access ControlAddress of said first supplicant (MAC1) and a first password (PSWD1) forsaid first supplicant (SUP1); and whereby in the event when said firstcontrolling step being positive, said method further comprises a step ofgenerating a result that comprises an authentication for said firstMedium Access Control address (MAC1) with said first password (PSWD1)and thereby granting said first supplicant (SUP1) to access said datacommunication network (DCN) via said first port (P1) of saidauthenticator (AU).
 2. The method to grant a supplicant (SUP1) access toa data communication network (DCN) according to claim 1, whereby in theevent when said first controlling step being negative said methodfurther comprises a second controlling step of controlling said firstregistration memory (MEM1) upon a presence of previous entry thatcomprises a second association between said first Medium Access Controladdress (MAC1) of said first supplicant (SUP1) with another password,whereby in the event when said second controlling step being negative,said method further comprises a step of generating a result thatcomprises an authentication for said first Medium Access Control address(MAC1) with said first password (PSWD1) and thereby granting said firstsupplicant (SUP1) to access said data communication network (DCN) viasaid first port (P1) of said authenticator (AU); and a step ofregistering an entry in said first registration memory (MEM1) with saidfirst association between said first Medium Access Control Address ofsaid first supplicant (MAC1) and said first password (PSWD1) for saidfirst supplicant (SUP1).
 3. The method to grant a supplicant (SUP1)access to a data communication network (DCN) according to claim 2,whereby said method further comprises: developing by said authenticationserver (AS) a second registration memory (MEM2) that comprises entrieswhereby an entry comprises an association between a Medium AccessControl address of a granted supplicant and an authenticated port forsaid granted supplicant that received previously a grant to access anallowed data communication network (DCN) via said authenticated port;and in the event when said second controlling step being negative, alsoregistering an entry in said second registration memory (MEM2) with anassociation between said first Medium Access Control Address (MAC1) ofsaid first supplicant (SUP1) and said first port (P1) of theauthenticator (AUTH).
 4. The method to grant a supplicant (SUP1) accessto a data communication network (DCN) according to claim 3, whereby saidmethod further comprises, in the event when said second controlling stepbeing positive: a third controlling step of controlling said secondregistration memory (MEM2) upon a presence of a previous entry thatcomprises a third association between said first Medium Access Controladdress (MAC1) of said first supplicant (SUP1) and said first port (P1)of said authenticator; and a fourth controlling step of controlling saidsecond registration memory (MEM2) upon a presence of a previous entrythat comprises a fourth association between said first Medium AccessControl address (MAC1) of said first supplicant (SUP1) and another portof said authenticator; and in the event when said third controlling stepbeing positive, said method further comprises a step of generating aresult that comprises an authentication for said first Medium AccessControl address (MAC1) with said first password (PSWD1) and therebygranting said first supplicant (SUP1) to access said data communicationnetwork (DCN) via said first port (P1) of said authenticator (AU); andin the event when said third controlling step being negative and saidfourth controlling step being positive, generating a result thatcomprises a refusal for said first port (P1) and for first said MediumAccess Control address (MAC1) and thereby denying said first supplicant(SUP1) to access said data communication network (DCN) via said firstport (P1).
 5. An authentication server (AS) to transmit to anauthenticator (AU), upon reception of an authentication request fromsaid authenticator (AUTH), an authentication reply that comprises aresult of an authentication decision said authentication server (AS)comprises: a decision means (DEC) to generate said result (RES) basedupon predefined rules and conditions, said authentication requestconcerns a request to grant for a first supplicant (SUP1) access to adata communication network (DCN), said first supplicant (SUP1) havingassociated a first Medium Access Control address (MAC1) and beingcoupled to a first port (P1) of said authenticator (AU) of said datacommunication network (DCN), characterized in that said authenticationserver (AS) further comprises a first registration memory (MEM1) coupledto said decision means (DEC), said first registration memory (MEM1)comprises entries whereby an entry comprises an association between aMedium Access Control address of a granted supplicant and a password forsaid granted supplicant that previously received a grant to access anallowed data communication network (DCN) via an authenticated port viawhich said granted supplicant being coupled to said authenticator (AU);and that said decision means (DEC) comprises a first control means(CONT1) to execute a first control on said first registration memory(MEM1) upon a presence of a previous entry that comprises a firstassociation between said first Medium Access Control address (MAC1) ofsaid first supplicant (SUP1) and a first password (PSWD1) for said firstsupplicant (SUP1); and that said decision means (DEC) is furtherincluded to generate, in the event when said first control is positive,a result (RES(AUTH) that comprises an authentication for said first port(P1) and for said first Medium Access Control address (MAC1) wherebysaid first supplicant (SUP1) being granted to access said datacommunication network (DCN) via said first port (P1) of saidauthenticator (AU).
 6. The authentication server (AS) according to claim5, wherein said decision means of said authentication server furthercomprises, a second control means (CONT2) to execute, in the event whensaid first control is negative, a second control on said firstregistration memory (MEM1) upon a presence of a previous entry thatcomprises a second association between said first Medium Access Controladdress (MAC1) with another password, and whereby in the event when saidsecond control is negative, said decision means (DEC) generates a result(RES(AUTH) that comprises an authentication for said first port (P1) andfor said first Medium Access Control Address (MAC1) whereby said firstsupplicant (SUP1) being granted to access said data communicationnetwork (DCN) via said first port (P1) of said authenticator (AU). 7.The authentication server (AS) according to claim 6, wherein saidauthentication server (AS) further comprises a second registrationmemory (MEM2) coupled to said decision means (DEC), said secondregistration memory (MEM2) comprises entries whereby an entry comprisesan association between a Medium Access Control Address of a grantedsupplicant and an authenticated port for said granted supplicant thatpreviously received a grant to access an allowed data communicationnetwork (DCN) via said authenticated port via which said grantedsupplicant being coupled to said authenticator (AU); and in the eventwhen said second control is negative, said authentication server alsoregisters an entry in said second registration memory (MEM2) with anassociation between said first Medium Access Control Address (MAC1) ofsaid first supplicant (SUP1) and said first port (P1) of said firstsupplicant (MAC1).
 8. The authentication server (AS) according to claim7, wherein said decision means (DEC) further comprises: a third controlmeans (CONT3) to execute a third control on said second registrationmeans (MEM2) upon a presence of a previous entry that comprises a thirdassociation between said first Medium Access Control address (MAC1) ofsaid first supplicant (SUP1) and said first port (P1) of saidauthenticator; and a fourth control means (CONT4) to execute a fourthcontrol on said second registration memory (MEM2) upon a presence of aprevious entry that comprises a fourth association between said firstMedium Access Control Address (MAC1) of said first supplicant (SUP1)with another port of said authenticator (AU); and said decision means(DEC) is further included to generate, in the event when said secondcontrol is positive and in the event when said third control ispositive, a result (RES(AUTH) that comprises an authentication for saidfirst port (P1) and for said first Medium Access Control address (MAC1)whereby said first supplicant (SUP1) being granted to access said datacommunication network (DCN) via said first port (P1) of saidauthenticator (AU); and said decision means (DEC) is further included togenerate, in the event when said second control is positive and saidthird control is negative and said fourth control is positive, a result(RES(REF) that comprises a refusal for said first port (P1) and for saidfirst Medium Access Control Address (MAC1) whereby said first supplicant(SUP1) is denied to access said data communication network (DCN) viasaid port (P1) of said authenticator (AU).
 9. An authenticator (AUTH1)that desires to enable a first supplicant (SUP1) access to a datacommunication network (DCN), said first supplicant (SUP1) havingassociated a first Medium Access Control address (MAC1) and beingcoupled to a first port (P) of said authenticator (AU) of said datacommunication network (DCN), said authenticator (AUTH) comprisestherefore a transmitter (TX) to transmit an authentication request to anauthentication server (AS) being coupled to said authenticator (AU); anda receiver (RX) to receive from said authentication server (AS) anauthentication reply that comprises a result of an authenticationdecision based upon predefined rules and conditions, characterized inthat said authenticator (AUTH) comprises an interpreter (INTPR) tointerpret said authentication reply as being received from anauthentication server (AS) according to claim 5 and to set a filter ofsaid authenticator (AUTH1) accordingly, whereby in the event when saidresult (RES(AUTH) comprises an authentication for said first port (P1)and for said first Medium Access Control address (MAC1) whereby saidfirst supplicant (SUP1) with said first Medium Access Control address(MAC1) being granted to access said data communication network (DCN) viasaid first port (P1) of said authenticator (AU), said filter acceptstraffic of said first supplicant (SUP1) via said first port (P1) onlyfor said first Medium Access Control address (MAC1); and whereby in theevent when said result (RES(REF) comprises a refusal for said first port(P1) and for said first Medium Access Control address (MAC1) wherebysaid first supplicant (SUP1) with said first Medium Access Controladdress (MAC1) being denied to access said data communication network(DCN) via said first port (P1) of said authenticator (AU), said filterrefuses traffic of said first supplicant (SUP1).